Hi All..
The syntax for naming our indices for different applications is "application-YYYY-ww".
But we are having some indices that are getting generated as application-2021.53. And they have significant sizes too, the largest one being 37GB. So we can't ignore those indices.
Can I get an explanation on why they are getting created and how to avoid index names getting names that way?
Following is the pipeline:
> input {
> }
> }
> filter {
> ##a lot of application related processing
> } else {
> mutate {
> add_field => { "indexprefix" => "application_name.default.%{[fields][cluster]}-" }
> }
> mutate {
> lowercase => [ "indexprefix" ]
> }
> }
> }
> output {
> elasticsearch {
> hosts => []
> ssl => true
> cacert => '/etc/logstash/ssl/cl-root.crt'
> manage_template => false
> index => "%{indexprefix}%{+YYYY.ww}"
> }
> }